Fix #224: Remove Potential Malicious Link in Parso's Acknowledgement README.rst #225
Conversation
|
Thanks, that makes sense! |
|
Because I'm interested: What tools did you use to find this? Was this something internal? What was the company? Feel free to write here or email me whatever information you're allowed to share. |
|
Sadly I could not tell you what program they used. I’m only a working student in the development apartment. I want to try Jupyternotebook in vscode to check some data from an embedded device recorded on a self programmed stm32.
I was quite shocked and confused about the call they gave me 1h after installing the IPython Kernel.
I hope it does not escalate internally.
It triggered some kind of it security system that checks our one-drive accounts. Maybe if they call me again I can try to ask for the program, but I think it could be some kind of one drive flow that searches each file for suspicious links. It deleted the file automatically.
At home, I wanted to check this problem out by myself to see what it was. That's why I ended up here with the issue.
Hopefully, it will fix that problem in the future and the next time I create a new venv I do not get the same call again.
I do not feel free to share the company name, hopefully, you understand that.
Best regards from Germany
Nils Bestehorn
|
|
Also, do you know if we fixed this now in the main branch, would it automatically be included in the newer version of this repo? I only installed ipykernel and got this repo in version 0.8.4 with the bad link. I looked into ipykernel dependency but they do not mention this repo so it may be included in one of the other mentioned repos in ipykernel. Maybe you know more about where this repo may be included and if so would it be the last updated version without this link, so that the security wouldn't trigger again… (if I get the time in the next few days) |
|
Hi Niels This will probably keep happening if you use the currently released parso. Your change is now on master branch, but not released on PyPI. If you want to use the version with the fix, you can install parso like this: https://parso.readthedocs.io/en/latest/docs/installation.html#from-git. If you use it with Jupyter you can probably just install parso first and then the rest. |
Description
This pull request addresses issue #224 by removing the potentially malicious link from the Acknowledgements section of the
README.rst. The link in question was flagged by internal IT as suspicious and has been excluded to ensure the safety and integrity of theparsopackage.Additional Research:
Changes Made:
README.rst:Salome Schneider https://www.crepes-schnaegg.ch/cr%C3%AApes-schn%C3%A4gg/kunst-f%C3%BCrs-cr%C3%AApes-mobil/
Verification:
Since it appears that the
METADATAfile may be generated from theREADME.rstduring the installation process, it is expected that the link will no longer appear in theMETADATAfile after installing the updated version ofparso. To verify this, please install the updated package in a virtual environment and confirm that theMETADATAfile does not contain the removed link.Additional Notes:
README.rstwith the expectation that it will not be present in the generatedMETADATAfile.Reviewers:
@davidhalter - Could you please review these changes?
Thank you for your attention to this matter.